quasar | e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5 | Triage

Sharing

General

Target

e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5.exe
Size

3.1MB
Sample

241118-pdfnsswhjn
MD5

8a86375d4afaad3b3784efe30144a978
SHA1

20b26de7d75461d01d01bb025c67bff370301655
SHA256

e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5
SHA512

126979671be90d7712e340f4c70aff968c7570a3abdb794a8f964c81f3830a2da9f0d5755dd9a0c84435232381b835deef74b67775fc2a6c1a789ad398ff53d5
SSDEEP

49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NTh:7vNL26AaNeWgPhlmVqkQ7XSKd74wIz

Score

10^/10

quasar runtimebroker spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

C2

anonam39-41248.portmap.io:41248

Mutex

bcabad1b-b1a9-478b-a187-3607b6476fd1

Attributes

encryption_key
479AF86B7B3A0AC9CE19AAE974A681BB6EE1949C
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a7

Targets

- Target
  
  e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5.exe
- Size
  
  3.1MB
- MD5
  
  8a86375d4afaad3b3784efe30144a978
- SHA1
  
  20b26de7d75461d01d01bb025c67bff370301655
- SHA256
  
  e533ec44e0fbee8057cf1b3ad4782b277a5801eb02eab57082634f34bb6cfcc5
- SHA512
  
  126979671be90d7712e340f4c70aff968c7570a3abdb794a8f964c81f3830a2da9f0d5755dd9a0c84435232381b835deef74b67775fc2a6c1a789ad398ff53d5
- SSDEEP
  
  49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NTh:7vNL26AaNeWgPhlmVqkQ7XSKd74wIz
Score

10^/10

quasar runtimebroker spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

runtimebrokerquasar

behavioral1

quasarruntimebrokerspywaretrojan

behavioral2

quasarruntimebrokerspywaretrojan